Technical Safeguards, Addressable Does Not Mean Optional

3d rendering of lock key and chain over binary data sheet. Concept of data protection and encryption.
Earlier this year, the California Correctional Health Care Services (CCHCS) reported a potential breach of up to 400,000 records for inmates incarcerated between 1996 and 2014, due to the theft of a laptop from an employee’s car. Two interesting pieces of information can be found in the press release announcing the breach issued by CCHCS:First, CCHCS did not know how much, if any, sensitive information was contained on the laptop. Second, although password protected “in accordance with state protocol”, the laptop was not encrypted.

Portable media, such as laptops, offer greater flexibility and ease of data access for staff, but increased risk for Covered Entities and Business Associates, as they have less control over laptops and other portable devices. This can lead to disastrous results, unless organizations know which portable devices contain ePHI, and they take the necessary steps to encrypt the data residing on them.

The HIPAA Security Rule Technical Safeguards contain a number of standards to guide organizations in their efforts to protect and control access to ePHI. Some of these standards are addressable rather than required. However, addressable does not mean optional.

The Security Rule clearly states that when a standard is addressable, a Covered Entity or Business Associate must assess whether it is reasonable to implement as it is written within its own environment. If not, the organization must document why it is not reasonable, and then implement an alternative that is reasonable.

Simply ignoring or disregarding addressable standards is a dangerous practice, and leaves organizations vulnerable to data breaches. These organizations may also be subject to hefty penalties for willful neglect if a breach occurs, and/or if they are audited by the Office for Civil Rights (OCR).